Prisma Cloud has created this PR to tag your IaC to Cloud resources. #1746
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Prisma Cloud Shift Left demo | |
on: [ push,pull_request ] | |
jobs: | |
prisma_cloud_job: | |
runs-on: ubuntu-latest | |
name: Run Prisma Cloud steps | |
env: | |
TL_USER: ${{ secrets.TL_USER }} | |
TL_PASS: ${{ secrets.TL_PASS }} | |
TL_CONSOLE: ${{ secrets.TL_CONSOLE }} | |
BYPASS_REPOSCAN: 1 | |
BYPASS_OSS_LICENSE: 1 | |
BYPASS_IMAGESCAN: 1 | |
BYPASS_WF: 1 | |
BYPASS_SANDBOX: 1 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
#- name: Check image Git dependencies has no vulnerabilities. | |
# run: bash ./files/checkGit.sh | |
- name: twistcli download | |
run: curl -s -k -u $TL_USER:$TL_PASS "https://$TL_CONSOLE/api/v1/util/twistcli" -v -o twistcli;chmod +x twistcli | |
- name: Repo Vulnerability scan | |
run: bash ./files/repoScan.sh | |
- name: OSS License Check | |
run: bash ./files/licenseCheck.sh | |
- name: Apply security policies (Policy-as-Code) for evilpetclinic | |
run: bash ./files/addPolicies.sh | |
- name: Image Sandbox analysis | |
run: bash ./files/sandbox.sh | |
- name: Scan Image for vulnerabilities | |
env: | |
JOB_NAME: github-actions | |
run: bash ./files/scanImage.sh | |
- name: Scan Image for Malware using Wildfire | |
run: bash ./files/malwareCheck.sh | |
- name: Run PC Code Security action | |
id: PCCS | |
uses: bridgecrewio/checkov-action@master | |
env: | |
PRISMA_API_URL: https://api.prismacloud.io | |
with: | |
directory: ./files | |
soft_fail: true # optional: do not return an error code if there are failed checks | |
api-key: ${{ secrets.BC_API_KEY }} | |
framework: all | |
quiet: false | |
output_format: cli # optional: the output format, one of: cli, json, junitxml, github_failed_only | |
download_external_modules: true | |
#log_level: WARNING # optional: set log level. Default WARNING | |
- name: Deploy evilpetclinic app | |
run: bash files/exec.sh deploy.sh | |
- name: Runtime attacks | |
run: bash files/exec.sh runtime_attacks.sh | |
- name: WAAS attacks | |
run: bash files/exec.sh waas_attacks.sh |